Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in fiverraffiliates Fiverr.com Official Search Box fiverr-official-search-box allows Stored XSS.This issue affects Fiverr.com Official Search Box: from n/a through <= 1.0.8.
Published: 2025-03-26
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a stored Cross‑Site Scripting flaw in the Fiverr.com Official Search Box plugin, enabling an attacker to inject malicious scripts into pages served to users. If exploited, the script can read or modify page content, hijack user sessions, and potentially exfiltrate sensitive data or spread malware. The flaw is rooted in improper input sanitization as indicated by its CWE‑79 classification.

Affected Systems

WordPress sites utilizing the Fiverr.com Official Search Box plugin with version numbers up to and including 1.0.8 are affected. The plugin is distributed, via the fiverraffiliates vendor, and any WordPress installation that has not upgraded beyond version 1.0.8 remains vulnerable.

Risk and Exploitability

The CVSS score of 6.5 categorizes the issue as medium severity. The EPSS score of less than 1% suggests a low likelihood of widespread exploitation at present. It is not listed in the CISA KEV catalog, further implying limited current exploitation activity. The most probable attack vector is through user interaction with the search box; an attacker can submit a crafted search query that is stored and subsequently rendered on the site, delivering the malicious payload to end users.

Generated by OpenCVE AI on May 2, 2026 at 03:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Fiverr.com Official Search Box plugin to the latest available version, which removes the stored XSS vulnerability.
  • If an update is unavailable, disable or uninstall the plugin entirely to eliminate the attack surface.
  • As an interim safeguard, configure a strict Content Security Policy that restricts inline scripts and disallows script execution from untrusted sources.

Generated by OpenCVE AI on May 2, 2026 at 03:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-8151 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Fiverr.com Official Search Box allows Stored XSS. This issue affects Fiverr.com Official Search Box: from n/a through 1.0.8.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Fiverr.com Official Search Box allows Stored XSS. This issue affects Fiverr.com Official Search Box: from n/a through 1.0.8. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in fiverraffiliates Fiverr.com Official Search Box fiverr-official-search-box allows Stored XSS.This issue affects Fiverr.com Official Search Box: from n/a through <= 1.0.8.
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 26 Mar 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 26 Mar 2025 14:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Fiverr.com Official Search Box allows Stored XSS. This issue affects Fiverr.com Official Search Box: from n/a through 1.0.8.
Title WordPress Fiverr.com Official Search Box plugin <= 1.0.8 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:49.905Z

Reserved: 2025-03-11T08:09:09.174Z

Link: CVE-2025-28885

cve-icon Vulnrichment

Updated: 2025-03-26T15:01:56.949Z

cve-icon NVD

Status : Deferred

Published: 2025-03-26T15:16:15.380

Modified: 2026-04-23T15:26:31.917

Link: CVE-2025-28885

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T03:30:16Z

Weaknesses